Skip to content

OAuth Resource Owner Password Grant Enabled

Low
ChrisMacNaughton published GHSA-w247-r3xj-79wc Jan 29, 2022

Package

EyeDP (Product)

Affected versions

<= 1.0.0.0b1

Patched versions

1.0.0

Description

The Doorkeeper configuration enables the Resource Owner Password Grant, as shown in the code snippet below (config/initializers/doorkeeper.rb).

grant_flows %w[authorization_code implicit_oidc password]

The password grant is configured properly: the method resource_owner_from_credentials is implemented and correctly validates username and password (single-factor authentication), properly setting the user information for the current request if the credentials match.
Hence a OIDC application may obtain an access token from the user's credentials:

POST /oauth/token HTTP/1.1
Host: eyedp.example.com
Connection: close
Content-Type: application/json
Content-Length: 203


{
 "username":"admin",
 "password": "Password4!",
 "grant_type": "password",
 "client_id":"Qzo7EdDO1Jcw5UCdbOdI5TJhOYb4JmEsJ7cqFWRqX3I",
 "client_secret":"Mcqw4qDarfeXdXB2S7PZPfO9SOF_J_5CTdNEXG7Wl88"
}

The request is successful, and the response contains the access token:

HTTP/1.1 200 OK
Server: nginx/1.21.5
Date: Wed, 26 Jan 2022 11:19:30 GMT

{
  "access_token":"gyJCv-WZqBr4DrbXgLztjSYBNSyNALS7AS0NtsOiG9U",
  "token_type":"Bearer",
  "expires_in":7200,
  "created_at":1643195970
}

The use of the password grant is discouraged by the OAuth 2.0 specification, especially when applications are not first-party (i.e., SSO applications), as this method of obtaining an access token bypasses the second factor authentication and may expose credentials to the service provider. Quoting the OAuth 2.0 specifications (RFC 6749), §1.3.3, the credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).

Impact

Having the password grant flow enabled by default is not considered a secure default, as it may allow SSO applications to request password-based credentials to the users rather than using the SSO flow.

Patches

This issue is resolved in commit e39c25c. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.

Workarounds

None

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

No known CVE

Weaknesses